The latest version of Kubernetes does not support Docker as a container runtime anymore. That is why many Kubernetes administrators have migrated their cluster’s container runtime from docker to another container runtime like containerd or cri-o. Or they will do that soon.
References
- https://gist.github.com/mamiu/4944e10305bc1c3af84946b33237b0e9
Old: entering a Container as root with Docker
Most containers that run on Kubernetes clusters do not run as root. But what, if you want to test a container and for that, you want to install and test some software manually before you create a new container image? With Docker that was easy. Just enter the container as root (id=0) and do with the container, whatever you want to do:
docker exec -it --rm -u 0 <container-id> bash
Now, that the containers are no Docker containers anymore, this is not possible anymore.
New: entering a Contaner as root with containerd or CRI-O
Prepare
However, you can runc to enter the container as root. Say, you want to enter a shell as root user in the container running on my-pod on my-namespace. First, you need to calculate the container ID. With that information you can enter the container using runc like follows:
# INPUT
N=my-namespace
# CALCULATE
POD=$(kubectl -n $N get pod | tail -1 | awk '{print $1}')
# or define static POD, if needed:
# POD=my-pod
CONTAINER_ID=$(kubectl -n $N get pod $POD -o jsonpath="{.status.containerStatuses[].containerID}" | sed 's/.*\/\///')containerd: Entering a Container as root with runc
If you are using containerd, you now can enter the root session with a single command:
# RUN SHELL AS ROOT sudo runc --root /run/containerd/runc/k8s.io/ exec -t -u 0 $CONTAINER_ID sh
That’s it! You do not even need to install runc, since runc is part of the installation package if you have installed containerd.
CRI-O: Entering a Container as root with nsenter
With CRI-O, it is slightly more complex, since crtictl does not support entering a root session into a container.
# Retrieve host pid:
HOST_PID=$(crictl inspect $CONTAINER_ID | jq '.info.pid')
# RUN SHELL AS ROOT
nsenter -t ${HOST_PID} -aThat’s it! You do not even need to install runc, since runc is part of the installation package if you have installed containerd (and I guess, also with cri-o…).
P.S.: If you still need to migrate your Kubernetes cluster from Docker container runtime to containerd runtime, you might be interested in this blog post:
Also, if you want to migrate from containerd to CRI-O, see this blog post: